Open Redirect in rotheross/otobo

Valid

Reported on

Oct 5th 2021


Description

there is a open redirect vulnerability in following url :

https://demo.otobo.org/otobo/index.pl?Action=ExternalURLJump;URL=https://google.com

here after click on link the victim will be redirected to https://google.com

We have contacted a member of the rotheross/otobo team and are waiting to hear back 2 months ago
rotheross/otobo maintainer validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
rotheross/otobo maintainer
2 months ago

Maintainer


Hello, here, too - this is now my testing ground... ;)

amammad
2 months ago

Researcher


:) hehe

rotheross/otobo maintainer
2 months ago

Maintainer


I will fix this now - would you like to be mentioned in a certain way in the commit message, later? (And thank you, here, too, of course!)

amammad
2 months ago

Researcher


I didn't get what you mean, but if it is should be exist just tell me what I must to do for you ?

rotheross/otobo maintainer
2 months ago

Maintainer


You must do nothing, I will just fix this and push it to the otobo repository with a commit message like:

git commit -m 'Fixed an open redirect in ExternalURLJump. Thanks to amammad for disclosing it to us.'

Or similar, if you want some specific text, or don't want to be mentioned,... :)

amammad
2 months ago

Researcher


No thanks a lot

can you just wait a while ( one week ) and then submit the reports ? because I want to investigate more on otobo and I don't want until that, these two reports get publicly available

amammad
2 months ago

Researcher


sorry I mean "can you just wait a while ( one week ) and then submit the commit here? "

rotheross/otobo maintainer
2 months ago

Maintainer


Hi amammad, actually our plan was to release a new version of OTOBO today, and as we are extremely busy with some projects atm, I will stick to that part, at least. However, I can wait for some days until I confirm the fix, here. (Out of curiosity - what do you gain from me keeping this for a while? Is there so much competition...?^^)

And does the "No thanks a lot" mean "no mention at all, please", or "nothing special, 'thanks amammad' is enough"? ;)

amammad
2 months ago

Researcher


heheh not so much competition but a regular one :))

and yes excuse me for misunderstanding I mean this : "nothing special, 'thanks Amammad' is enough" and thanks for you too :)

Also there is no need to wait for new version because of the me or wait until the report published in Huntr.dev

I just wanted to the reports Stay hidden for a while only in Huntr, not in otobo next release.

best regards.

rotheross/otobo maintainer confirmed that a fix has been merged on de22bd 2 months ago
The fix bounty has been dropped
ExternalURLJump.pm#L17-L48 has been validated